1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention is directed networked computer systems.
2. Description of Related Art
Enterprises generally desire to provide authorized users with secure access to protected resources in a user-friendly manner throughout a variety of networks, including the Internet. Although providing secure authentication mechanisms reduces the risks of unauthorized access to protected resources, the same authentication mechanisms may become barriers to user interaction with the protected resources. Users generally desire the ability to jump from interacting with one application to another application without regard to the authentication barriers that protect each particular system supporting those applications.
As users get more sophisticated, they expect that computer systems coordinate their actions so that burdens on the user are reduced. These types of expectations also apply to authentication processes. A user might assume that once he or she has been authenticated by some computer system, the authentication should be valid throughout the user's working session, or at least for a particular period of time, without regard to the various computer architecture boundaries that are almost invisible to the user. Enterprises generally try to fulfill these expectations in the operational characteristics of their deployed systems, not only to placate users but also to increase user efficiency, whether the user efficiency is related to employee productivity or customer satisfaction.
More specifically, with the current computing environment in which many applications have a Web-based user interface that is accessible through a common browser, users expect more user-friendliness and low or infrequent barriers to movement from one Web-based application to another. In this context, users are coming to expect the ability to jump from interacting with an application on one Internet domain to another application on another domain without regard to the authentication barriers that protect each particular domain. However, even if many systems provide secure authentication through easy-to-use, Web-based interfaces, a user may still be forced to reckon with multiple authentication processes that stymie user access across a set of domains. Subjecting a user to multiple authentication processes in a given time frame may significantly affect the user's efficiency.
Various techniques have been used to reduce authentication burdens on users and computer system administrators. These techniques are generally described as “single-sign-on” (SSO) processes because they have a common purpose: after a user has completed a sign-on operation, i.e. been authenticated, the user is subsequently not required to perform another authentication operation. Hence, the goal is that the user would be required to complete only one authentication process during a particular user session.
Such single-sign-on solutions have been successful when implemented within a given enterprise. However, the barriers that are presented by multiple authentication processes or systems are becoming increasingly common as more enterprises participate in e-commerce marketplaces or other collaborative endeavors connected by the Internet. Previous single-sign-on solutions between enterprises have been limited to homogeneous environments in which there are pre-established business agreements between participating enterprises. These business agreements are used, in part, to establish trust and to limit and define how information is transferred in a secure manner between enterprises. These business agreements also include technological agreements on rules on how to translate, or map, user identities from one enterprise to another, and how to transfer the information used to vouch for users between participating enterprises.
In other words, previous single-sign-on solutions allow one enterprise to trust an authentication assertion (along with the identity of the user provided in the assertion) produced by a different enterprise based on the pre-negotiated or pre-configured agreements. Each distinct enterprise knows how to create and interpret authentication assertions that can be understood by other enterprises that have exchanged similar agreements, such as enterprises within an e-commerce marketplace. These homogeneous environments are tightly coupled because there is a deterministic relationship known by the enterprises for mapping the user identities across these systems. This tight coupling is possible because of the business agreements that are used to establish the single-sign-on environment. Although participating enterprises may cooperate within homogeneous environments by using these previous single-sign-on solutions, these environments are restrictive in view of the need or desire to interconnect multiple homogeneous environments, e.g., interconnected e-commerce marketplaces.
In addition, only part of securing a system is the requirement that a user complete an authentication operation to prove their identity to the system. An equally important part of this process is the requirement that a user complete a logoff operation in order to end a secure session, thereby preventing other users from stealing or otherwise maliciously interfering with a valid session. Therefore, it would be advantageous to have methods and systems in which enterprises can provide similar single-sign-on and similar single-sign-off experiences to users in the absence of predetermined business and technical translation agreements between participating enterprises.